Is Zoom Pro HIPAA Compliant? BAA Requirements Explained

Yes, Zoom Pro can be HIPAA compliant, but only if you sign a Business Associate Agreement (BAA) with Zoom during checkout and configure your account properly. The plan itself doesn’t automatically protect patient information. You need to take specific steps to make it compliant.

How to Sign a BAA on a Zoom Pro Plan

Zoom allows Pro, Business, Business Plus, and Enterprise customers to execute a BAA. For Pro plan users, the process happens right at checkout. On the Plans & Pricing page, click “Buy Now” for the Pro plan. On the checkout page, select “United States Agreement (BAA)” or “Canada Agreement (PHIA)” from the business country dropdown. You’ll be prompted to read and accept the agreement before completing your purchase.

This is a critical step. If you already have a Pro account and didn’t select the BAA option at checkout, you’ll need to go back and execute one before using Zoom for anything involving protected health information (PHI). No feature that could touch PHI, including recordings, chat, whiteboards, or transcripts, should be enabled until the BAA is in place.

Zoom has also had a third party review and certify that it implements the controls required under the HIPAA Security Rule, Breach Notification Rule, and the applicable parts of the Privacy Rule.

A BAA Alone Doesn’t Make You Compliant

Signing the BAA is the legal foundation, but HIPAA compliance depends heavily on how you configure and use Zoom. Zoom’s own documentation notes that once you execute a BAA, “no additional manual configuration is required,” but that refers to Zoom’s side of the agreement. Your organization is still responsible for how meetings are set up and how staff use the platform. Many HIPAA violations on Zoom come from user error, not platform limitations.

Security Settings You Need to Enable

Several settings should be turned on (or enforced) across your Zoom account to keep PHI protected:

  • Waiting rooms: Guests can’t join a meeting until the host admits them individually. This prevents unauthorized people from entering a session.
  • Encrypted chats: All in-meeting chats and text messages should be encrypted.
  • Encryption for third-party endpoints: If anyone joins via legacy video conferencing hardware (H.323/SIP systems), encryption must be required for those connections too.
  • Guest identification: Participants who don’t belong to your organization should be visibly flagged so hosts can identify who’s in the room.
  • Join/leave notifications: An audible sound plays when someone enters or exits, so no one slips into a session unnoticed.
  • End-to-end encryption (E2EE): Enable this in your admin settings and set it as the default for meetings that involve PHI. Note that E2EE disables telephone dial-in and some hardware connections, so all participants need to join from a supported Zoom client.
  • Multi-factor authentication: Require MFA for all users on the account. App-based authenticators or hardware security keys are more secure than SMS codes.

You should also remove device and user logging information that isn’t needed, which reduces the amount of identifiable data stored on Zoom’s systems.

Common Mistakes That Break Compliance

Even with the right plan and a signed BAA, several common configuration errors can expose PHI:

Using Personal Meeting IDs for patient sessions. Personal Meeting IDs are static links that never change, making them easy to share or guess. Use unique, auto-generated meeting IDs with passcodes for every session involving a patient.

Leaving “join before host” enabled. If patients or other participants can enter a meeting room before the host arrives, they could see information from a previous session or interact with another patient. Disable this setting and use waiting rooms instead.

Unrestricted screen sharing. Set screen sharing to “host only” by default. When you do share your screen, use the “share a window” or “share a portion of screen” option rather than sharing your entire desktop. Sharing the full screen risks accidentally displaying patient records, emails, or other applications containing PHI.

Cloud recording left on by default. Disable cloud recording for meetings that may include PHI. If you need to record, do so deliberately and ensure the recordings are stored and managed according to your organization’s HIPAA policies. Auto-transcription and AI-powered smart summaries should also be turned off unless they’re explicitly covered by your BAA, since these features capture and process spoken PHI.

Open chat and file transfer. During patient encounters, set chat to “host and panelists only.” Disable file transfer in chat unless it’s specifically approved. Remind staff not to type PHI into the chat window, since chat logs can be saved and exported.

Outdated software. Enable automatic updates for Zoom on all devices. Older versions may lack security patches that address known vulnerabilities. If your organization uses mobile device management tools, block Zoom versions below a minimum approved version and remove unused plugins or add-ons.

Zoom Pro vs. Higher-Tier Plans

From a pure HIPAA standpoint, Zoom Pro offers the same BAA and core security features as Business, Business Plus, and Enterprise plans. The higher tiers don’t unlock additional HIPAA-specific protections. What they do offer is administrative convenience: more granular user management, centralized policy enforcement across larger teams, and dedicated support channels that make it easier to maintain compliance at scale.

For a solo practitioner or small practice, a Pro plan with a properly executed BAA and the right settings is sufficient. Larger organizations with dozens of clinicians may find it easier to enforce consistent security policies on a Business or Enterprise plan, simply because those tiers offer better admin controls for managing many users at once.

What the BAA Actually Covers

The BAA is a legal contract that makes Zoom a “business associate” under HIPAA. It means Zoom agrees to safeguard any PHI that passes through its platform, report breaches, and limit how it uses that data. Without a BAA, even if every security setting is perfect, using Zoom with patient information violates HIPAA because there’s no legal agreement governing how Zoom handles that data.

The BAA covers the core Zoom platform: video meetings, in-meeting chat, and the associated infrastructure. If you use additional Zoom products or integrations, verify that they fall within the scope of the BAA before allowing PHI to flow through them.